nix: fix initrd integration test

2022-11-28 11:27:31 +01:00 · 2022-11-28 11:27:31 +01:00 · d35ca2d7d3
parent 85b111aa17
commit d35ca2d7d3
1 changed files with 17 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -139,7 +139,10 @@
            };
          };
        };
-        mkUnsignedTest = { name, path }: mkSecureBootTest {
+
+        # Execute a boot test that is intended to fail.
+        #
+        mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
          inherit name;
          testScript = ''
            import json
@ -156,10 +159,14 @@
            src_path = ${path.src}
            dst_path = ${path.dst}
            machine.succeed(f"cp -rf {src_path} {dst_path}")
+          '' + lib.optionalString appendCrap ''
+            machine.succeed(f"echo Foo >> {dst_path}")
+          '' +
+          ''
            machine.succeed("sync")
            machine.crash()
            machine.start()
-            machine.wait_for_console_text("panicked")
+            machine.wait_for_console_text("Hash mismatch")
          '';
        };
      in
@ -211,13 +218,21 @@
            assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
          '';
          };
+
+          # The initrd is not directly signed. Its hash is embedded
+          # into lanzaboote. To make integrity verification fail, we
+          # actually have to modify the initrd. Appending crap to the
+          # end is a harmless way that would make the kernel still
+          # accept it.
          is-initrd-secured = mkUnsignedTest {
            name = "unsigned-initrd-do-not-boot-under-secureboot";
            path = {
              src = "bootspec.get('initrd')";
              dst = "convert_to_esp(bootspec.get('initrd'))";
            };
+            appendCrap = true;
          };
+
          is-kernel-secured = mkUnsignedTest {
            name = "unsigned-kernel-do-not-boot-under-secureboot";
            path = {